2 Answers
2

It depends on the particular API call you are making. However, any call that includes an access token to either Facebook's rest or graph API must be over SSL. Facebook will deny the request from their server if you include an access token over a non-secure request. The only api calls that wouldn't be over SSL are ones that access publicly available information such as http://graph.facebook.com/zuck/. This isn't specific to any single Facebook client SDK, this applies to any client accessing Facebook's API servers.

Thanks, that's exactly the kind of info I was looking for. After thinking about it, I decided it wasn't vulnerable to Firesheep itself, since Android sessions don't show up in my FB session list. But's it good to know the FB API uses a secure connection. (Now why haven't they been doing that with the web UI? Hopefully that will change soon.)
–
vanmelleOct 27 '10 at 23:05

Droidsheep (makers of a android app similar to firesheep) claims on its website that that the official Facebook app does not use https:

Facebook enforces every developer, who wants to use facebook API in his application, to use SSL for any request to facebook (LINK). This is ironic – they do not use encryption for their api themselves!
The official facebook Android app sends it’s cookie and HTTP requests unencrypted to facebook and DroidSheep can simply hijack the requests and the account – even if the user has HTTPS enabled.

I wanted to verify this, but Firefox said firesheep wasn't compatible with this version and blablabla... I gave up easy:) Maybe someone else could confirm this is true by actually capturing such packets being sent to/from their phone.

I suspect droidsheep's claim may be partially true - at least for whatever version was on my old droid incredible - as, after recently using wifi in an airport, Facebook told me an unknown device (estimated to be on the other side of the country) logged in to my account.